Malicious packages have been discovered on the Python Package Index (PyPI), putting developers and businesses at serious risk.
Researchers revealed that several harmful libraries were uploaded to PyPI to steal sensitive data. They also tested stolen credit cards using e-commerce checkout systems.
For example, two packages named bitcoinlibdbfix and bitcoinlib-dev posed as fixes for real issues in the trusted bitcoinlib module. These were used to trick users into downloading and running malicious code.
However, a third package named disgrasya was openly malicious and designed specifically for credit card fraud. This one was far more dangerous, according to a recent report.
How These Attacks Work
Both bitcoinlib fakes secretly replaced legitimate commands with scripts to exfiltrate database files. The attackers even joined public GitHub discussions to push these fake fixes.
In contrast, disgrasya didn’t bother hiding its true purpose. It worked as an automated carding tool that simulated shopping behavior to test stolen cards on WooCommerce stores. For example, it would find a product, add it to a cart, fill in the checkout form with fake details, and send stolen credit card data to an external server.
Therefore, attackers could check if cards were still active. If they worked, the cards were then used for fraudulent purchases or sold on underground forums.
The Bigger Risk Behind These Tools
Carding attacks like this are growing more common. Fraudsters get stolen card data from phishing sites or malware, then test them using tools like disgrasya.
If small purchases go through, the card is confirmed to be active. These attacks often bypass fraud detection by acting like real users.
What’s more, the malicious package was downloaded over 37,000 times before being removed. This suggests that many systems may have been silently compromised.
How to Protect Yourself from Malicious Packages
To avoid threats like these:
- Check package sources and version history before installing.
- Don’t trust quick fixes posted in public forums without verification.
- Use automated dependency scanners to catch malicious behavior.
- Enable bot protection and CAPTCHA at checkout pages.
- Block small-dollar transactions or limit payment retries.
Malicious packages can cause real harm fast. However, with careful validation and strong security controls, you can block attackers before they strike.
Sleep well, we got you covered.
